1 /*
2 * Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * SHA256 low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <openssl/opensslconf.h>
17
18 #include <stdlib.h>
19 #include <string.h>
20
21 #include <openssl/crypto.h>
22 #include <openssl/sha.h>
23 #include <openssl/opensslv.h>
24 #include "internal/endian.h"
25 #include "crypto/sha.h"
26
SHA224_Init(SHA256_CTX * c)27 int SHA224_Init(SHA256_CTX *c)
28 {
29 memset(c, 0, sizeof(*c));
30 c->h[0] = 0xc1059ed8UL;
31 c->h[1] = 0x367cd507UL;
32 c->h[2] = 0x3070dd17UL;
33 c->h[3] = 0xf70e5939UL;
34 c->h[4] = 0xffc00b31UL;
35 c->h[5] = 0x68581511UL;
36 c->h[6] = 0x64f98fa7UL;
37 c->h[7] = 0xbefa4fa4UL;
38 c->md_len = SHA224_DIGEST_LENGTH;
39 return 1;
40 }
41
SHA256_Init(SHA256_CTX * c)42 int SHA256_Init(SHA256_CTX *c)
43 {
44 memset(c, 0, sizeof(*c));
45 c->h[0] = 0x6a09e667UL;
46 c->h[1] = 0xbb67ae85UL;
47 c->h[2] = 0x3c6ef372UL;
48 c->h[3] = 0xa54ff53aUL;
49 c->h[4] = 0x510e527fUL;
50 c->h[5] = 0x9b05688cUL;
51 c->h[6] = 0x1f83d9abUL;
52 c->h[7] = 0x5be0cd19UL;
53 c->md_len = SHA256_DIGEST_LENGTH;
54 return 1;
55 }
56
ossl_sha256_192_init(SHA256_CTX * c)57 int ossl_sha256_192_init(SHA256_CTX *c)
58 {
59 SHA256_Init(c);
60 c->md_len = SHA256_192_DIGEST_LENGTH;
61 return 1;
62 }
63
SHA224_Update(SHA256_CTX * c,const void * data,size_t len)64 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
65 {
66 return SHA256_Update(c, data, len);
67 }
68
SHA224_Final(unsigned char * md,SHA256_CTX * c)69 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
70 {
71 return SHA256_Final(md, c);
72 }
73
74 #define DATA_ORDER_IS_BIG_ENDIAN
75
76 #define HASH_LONG SHA_LONG
77 #define HASH_CTX SHA256_CTX
78 #define HASH_CBLOCK SHA_CBLOCK
79
80 /*
81 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82 * default: case below covers for it. It's not clear however if it's
83 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
84 * but if it is, then default: case shall be extended. For reference.
85 * Idea behind separate cases for pre-defined lengths is to let the
86 * compiler decide if it's appropriate to unroll small loops.
87 */
88 #define HASH_MAKE_STRING(c,s) do { \
89 unsigned long ll; \
90 unsigned int nn; \
91 switch ((c)->md_len) { \
92 case SHA256_192_DIGEST_LENGTH: \
93 for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) { \
94 ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
95 } \
96 break; \
97 case SHA224_DIGEST_LENGTH: \
98 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) { \
99 ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
100 } \
101 break; \
102 case SHA256_DIGEST_LENGTH: \
103 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) { \
104 ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
105 } \
106 break; \
107 default: \
108 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
109 return 0; \
110 for (nn=0;nn<(c)->md_len/4;nn++) { \
111 ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
112 } \
113 break; \
114 } \
115 } while (0)
116
117 #define HASH_UPDATE SHA256_Update
118 #define HASH_TRANSFORM SHA256_Transform
119 #define HASH_FINAL SHA256_Final
120 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
121 #ifndef SHA256_ASM
122 static
123 #else
124 # ifdef INCLUDE_C_SHA256
125 void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
126 # endif /* INCLUDE_C_SHA256 */
127 #endif /* SHA256_ASM */
128 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
129
130 #include "crypto/md32_common.h"
131
132 #if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
133 static const SHA_LONG K256[64] = {
134 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
135 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
136 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
137 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
138 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
139 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
140 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
141 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
142 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
143 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
144 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
145 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
146 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
147 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
148 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
149 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
150 };
151
152 # ifndef PEDANTIC
153 # if defined(__GNUC__) && __GNUC__>=2 && \
154 !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
155 # if defined(__riscv_zknh)
156 # define Sigma0(x) ({ MD32_REG_T ret; \
157 asm ("sha256sum0 %0, %1" \
158 : "=r"(ret) \
159 : "r"(x)); ret; })
160 # define Sigma1(x) ({ MD32_REG_T ret; \
161 asm ("sha256sum1 %0, %1" \
162 : "=r"(ret) \
163 : "r"(x)); ret; })
164 # define sigma0(x) ({ MD32_REG_T ret; \
165 asm ("sha256sig0 %0, %1" \
166 : "=r"(ret) \
167 : "r"(x)); ret; })
168 # define sigma1(x) ({ MD32_REG_T ret; \
169 asm ("sha256sig1 %0, %1" \
170 : "=r"(ret) \
171 : "r"(x)); ret; })
172 # endif
173 # if defined(__riscv_zbt) || defined(__riscv_zpn)
174 # define Ch(x,y,z) ({ MD32_REG_T ret; \
175 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
176 : "=r"(ret) \
177 : "r"(x), "r"(y), "r"(z)); ret; })
178 # define Maj(x,y,z) ({ MD32_REG_T ret; \
179 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
180 : "=r"(ret) \
181 : "r"(x^z), "r"(y), "r"(x)); ret; })
182 # endif
183 # endif
184 # endif
185
186 /*
187 * FIPS specification refers to right rotations, while our ROTATE macro
188 * is left one. This is why you might notice that rotation coefficients
189 * differ from those observed in FIPS document by 32-N...
190 */
191 # ifndef Sigma0
192 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
193 # endif
194 # ifndef Sigma1
195 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
196 # endif
197 # ifndef sigma0
198 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
199 # endif
200 # ifndef sigma1
201 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
202 # endif
203 # ifndef Ch
204 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
205 # endif
206 # ifndef Maj
207 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
208 # endif
209
210 # ifdef OPENSSL_SMALL_FOOTPRINT
211
sha256_block_data_order(SHA256_CTX * ctx,const void * in,size_t num)212 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
213 size_t num)
214 {
215 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
216 SHA_LONG X[16], l;
217 int i;
218 const unsigned char *data = in;
219
220 while (num--) {
221
222 a = ctx->h[0];
223 b = ctx->h[1];
224 c = ctx->h[2];
225 d = ctx->h[3];
226 e = ctx->h[4];
227 f = ctx->h[5];
228 g = ctx->h[6];
229 h = ctx->h[7];
230
231 for (i = 0; i < 16; i++) {
232 (void)HOST_c2l(data, l);
233 T1 = X[i] = l;
234 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
235 T2 = Sigma0(a) + Maj(a, b, c);
236 h = g;
237 g = f;
238 f = e;
239 e = d + T1;
240 d = c;
241 c = b;
242 b = a;
243 a = T1 + T2;
244 }
245
246 for (; i < 64; i++) {
247 s0 = X[(i + 1) & 0x0f];
248 s0 = sigma0(s0);
249 s1 = X[(i + 14) & 0x0f];
250 s1 = sigma1(s1);
251
252 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
253 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
254 T2 = Sigma0(a) + Maj(a, b, c);
255 h = g;
256 g = f;
257 f = e;
258 e = d + T1;
259 d = c;
260 c = b;
261 b = a;
262 a = T1 + T2;
263 }
264
265 ctx->h[0] += a;
266 ctx->h[1] += b;
267 ctx->h[2] += c;
268 ctx->h[3] += d;
269 ctx->h[4] += e;
270 ctx->h[5] += f;
271 ctx->h[6] += g;
272 ctx->h[7] += h;
273
274 }
275 }
276
277 # else
278
279 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
280 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
281 h = Sigma0(a) + Maj(a,b,c); \
282 d += T1; h += T1; } while (0)
283
284 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
285 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
286 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
287 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
288 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
289
290 #ifdef INCLUDE_C_SHA256
sha256_block_data_order_c(SHA256_CTX * ctx,const void * in,size_t num)291 void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
292 #else
293 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
294 size_t num)
295 #endif
296 {
297 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
298 SHA_LONG X[16];
299 int i;
300 const unsigned char *data = in;
301 DECLARE_IS_ENDIAN;
302
303 while (num--) {
304
305 a = ctx->h[0];
306 b = ctx->h[1];
307 c = ctx->h[2];
308 d = ctx->h[3];
309 e = ctx->h[4];
310 f = ctx->h[5];
311 g = ctx->h[6];
312 h = ctx->h[7];
313
314 if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
315 && ((size_t)in % 4) == 0) {
316 const SHA_LONG *W = (const SHA_LONG *)data;
317
318 T1 = X[0] = W[0];
319 ROUND_00_15(0, a, b, c, d, e, f, g, h);
320 T1 = X[1] = W[1];
321 ROUND_00_15(1, h, a, b, c, d, e, f, g);
322 T1 = X[2] = W[2];
323 ROUND_00_15(2, g, h, a, b, c, d, e, f);
324 T1 = X[3] = W[3];
325 ROUND_00_15(3, f, g, h, a, b, c, d, e);
326 T1 = X[4] = W[4];
327 ROUND_00_15(4, e, f, g, h, a, b, c, d);
328 T1 = X[5] = W[5];
329 ROUND_00_15(5, d, e, f, g, h, a, b, c);
330 T1 = X[6] = W[6];
331 ROUND_00_15(6, c, d, e, f, g, h, a, b);
332 T1 = X[7] = W[7];
333 ROUND_00_15(7, b, c, d, e, f, g, h, a);
334 T1 = X[8] = W[8];
335 ROUND_00_15(8, a, b, c, d, e, f, g, h);
336 T1 = X[9] = W[9];
337 ROUND_00_15(9, h, a, b, c, d, e, f, g);
338 T1 = X[10] = W[10];
339 ROUND_00_15(10, g, h, a, b, c, d, e, f);
340 T1 = X[11] = W[11];
341 ROUND_00_15(11, f, g, h, a, b, c, d, e);
342 T1 = X[12] = W[12];
343 ROUND_00_15(12, e, f, g, h, a, b, c, d);
344 T1 = X[13] = W[13];
345 ROUND_00_15(13, d, e, f, g, h, a, b, c);
346 T1 = X[14] = W[14];
347 ROUND_00_15(14, c, d, e, f, g, h, a, b);
348 T1 = X[15] = W[15];
349 ROUND_00_15(15, b, c, d, e, f, g, h, a);
350
351 data += SHA256_CBLOCK;
352 } else {
353 SHA_LONG l;
354
355 (void)HOST_c2l(data, l);
356 T1 = X[0] = l;
357 ROUND_00_15(0, a, b, c, d, e, f, g, h);
358 (void)HOST_c2l(data, l);
359 T1 = X[1] = l;
360 ROUND_00_15(1, h, a, b, c, d, e, f, g);
361 (void)HOST_c2l(data, l);
362 T1 = X[2] = l;
363 ROUND_00_15(2, g, h, a, b, c, d, e, f);
364 (void)HOST_c2l(data, l);
365 T1 = X[3] = l;
366 ROUND_00_15(3, f, g, h, a, b, c, d, e);
367 (void)HOST_c2l(data, l);
368 T1 = X[4] = l;
369 ROUND_00_15(4, e, f, g, h, a, b, c, d);
370 (void)HOST_c2l(data, l);
371 T1 = X[5] = l;
372 ROUND_00_15(5, d, e, f, g, h, a, b, c);
373 (void)HOST_c2l(data, l);
374 T1 = X[6] = l;
375 ROUND_00_15(6, c, d, e, f, g, h, a, b);
376 (void)HOST_c2l(data, l);
377 T1 = X[7] = l;
378 ROUND_00_15(7, b, c, d, e, f, g, h, a);
379 (void)HOST_c2l(data, l);
380 T1 = X[8] = l;
381 ROUND_00_15(8, a, b, c, d, e, f, g, h);
382 (void)HOST_c2l(data, l);
383 T1 = X[9] = l;
384 ROUND_00_15(9, h, a, b, c, d, e, f, g);
385 (void)HOST_c2l(data, l);
386 T1 = X[10] = l;
387 ROUND_00_15(10, g, h, a, b, c, d, e, f);
388 (void)HOST_c2l(data, l);
389 T1 = X[11] = l;
390 ROUND_00_15(11, f, g, h, a, b, c, d, e);
391 (void)HOST_c2l(data, l);
392 T1 = X[12] = l;
393 ROUND_00_15(12, e, f, g, h, a, b, c, d);
394 (void)HOST_c2l(data, l);
395 T1 = X[13] = l;
396 ROUND_00_15(13, d, e, f, g, h, a, b, c);
397 (void)HOST_c2l(data, l);
398 T1 = X[14] = l;
399 ROUND_00_15(14, c, d, e, f, g, h, a, b);
400 (void)HOST_c2l(data, l);
401 T1 = X[15] = l;
402 ROUND_00_15(15, b, c, d, e, f, g, h, a);
403 }
404
405 for (i = 16; i < 64; i += 8) {
406 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
407 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
408 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
409 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
410 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
411 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
412 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
413 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
414 }
415
416 ctx->h[0] += a;
417 ctx->h[1] += b;
418 ctx->h[2] += c;
419 ctx->h[3] += d;
420 ctx->h[4] += e;
421 ctx->h[5] += f;
422 ctx->h[6] += g;
423 ctx->h[7] += h;
424
425 }
426 }
427
428 # endif
429 #endif /* SHA256_ASM */
430